Friday, 6 July 2007

Back to Basics

When I first started out in IT Security, around 10 years ago now, which is a lifetime ago, probably 2 or 3 in technology terms, there were 3 main issues/solutions:

1. Authentication, it wasn't strong enough, passwords were weak, and were being hacked.
2. Firewalls, to protect your network of course!
3. F5 were just beginning to find a space, Foundry had a REALLY complicated box called the ServerIron XL. I'm sure there were others, but I didn't see them.
4. Something to protect data, no-one really knew what, how or where to do this, encryption was popular, but not understood. Some people thought this could be done with load balancers, firewalls, etc.

These are all encompassing terms, but there's a reason for that which will be revealed. Oh, how I love to tantalise you! Read on.

I worked with RSA SecurID, which for all I know is still the de facto standard. I lost interest in AAA around the same time as I did firewalls. It's pretty much the same solution however you look at it. There are clever ways to ensure transactions, etc. (hat tip: Igor Drokov and co. at Cronto have a great looking new solution in this area, please take a look.), but personally I don't find it that interesting and (maybe because) there are better men than I doing the work.

I worked with Checkpoint (didn't everyone at that time?), Cisco PIX (ditto), and more recently Juniper firewalls. They're all much of a muchness, each company did well out of the firewall craze as the internet exploded in the 90s, (OK so Cisco were doing OK before that even, and for different reasons). The very fact that each of these companies is now scrabbling around trying to fit more functionality into their boxes shows me that firewalls are at best a commodity, and probably nearer to a lame duck, if not a dead one. Juniper have added Network Access Control, SSL VPN, content filtering, etc, etc. I'm sure the others have similar. Trying to win back market share is a business decision however, not a security one. This is a worrying trend which often makes for odd security devices. I also note that Bluecoat have turned their fabulous proxy box into something capable of very similar things. Convergence, or following the herd? I don't know, maybe it's a clever product manager, but maybe it's too many cooks.

But what happened to the data security? Back in the day there was encryption of email using certificates, messy PKI, so fledgling encryption devices appeared with their own internal key management, and disappeared because it was too early. I worked with Ingrian in their first foray into the UK, and there wasn't a lot of interest at the time, even though the solution was one of the coolest I'd seen. It was easy to use and made total sense. Sadly the market was still coming down from the trees and still discovering the fire to stop with firewalls, so Ingrian retired back to the US where business was better.

Recently I worked in the channel again for one of the biggest IT Security distis in the UK, Equip Technology, now part of Horizon Group. As well as helping to bring Ingrian back on board with a new sales lead at the helm, Jon Shaw, I helped to raise the profile of F5 in the channel to some extent with the help of Louise Mowatt, and worked with Bluecoat to spread the word courtesy of Graham Davidson and co.

Having a bigger view of the market surprised me. Mainly because after a very short while I noticed the following technologies were at the fore:

1. Authentication and identity management to make it more secure and manageable. This is a step forward, it may seem small, but it's about the right pace for a mature technology to move. That's another reason I'm not doing it, I'm far too impatient.
2. UTM (Firewalls and that), to protect your network of course! I "think" this is a step in the right direction, as discussed previously in this blog, but I also fear it may be sales driven, not security driven. Help! Too much too soon?
3. Load balancers. I really like what F5 are doing, in fact I've decided to write a post on this space, it's very interesting.
4. Something to protect data, no-one really knows what to buy yet, but they seem to be coming to a consensus view. Encryption is popular, but not yet understood. People need educating, the market moves slowly, but I think the time has finally come for this to work.

See, worth reading to the end wasn't it?

No comments: